Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Which takes precedence, http-equiv or HTTP response header?

Tags:

html

http

This question seems duplicate, but after some research, no solid answer is found. The sub questions are:

  1. When http-equiv and HTTP response header have the same key, and their corresponding value conflict, which one takes precedence?
  2. Is there any specification for the 1st question, even if it's not followed by browsers?
  3. If there is no specification, what happens? Was there any discussion in standard groups? This behaviour definitely need to be defined in some standards.

Here are some research work:

  • I checked 4.2.5.3 Pragma directives in HTML specification, but precedence is not mentioned (except for http-equiv="set-cookie", in which case real HTTP response header takes precedence).
  • In response header VS meta tag, it seems real HTTP response header takes precedence for Content-Type
  • In Which X-UA-Compatible takes precedence? Http-header or Meta-tags?, it seems http-equiv takes precedence for X-UA-Compatible

In my opinion, either decision makes sense, but isn't there a general answer?

like image 478
shaochuancs Avatar asked Mar 15 '17 06:03

shaochuancs

People also ask

Which is the correct responsibility of HTTP response header?

The response-header fields allow the server to pass additional information about the response which cannot be placed in the Status- Line. These header fields give information about the server and about further access to the resource identified by the Request-URI.

Do HTTP responses have headers?

A response header is an HTTP header that can be used in an HTTP response and that doesn't relate to the content of the message. Response headers, like Age , Location or Server are used to give a more detailed context of the response.

What is the difference between request headers and response headers?

Request headers contain more information about the resource to be fetched, or about the client requesting the resource. Response headers hold additional information about the response, like its location or about the server providing it.

What is HTTP-equiv used for?

The http-equiv attribute provides an HTTP header for the information/value of the content attribute. The http-equiv attribute can be used to simulate an HTTP response header.

Video Answer

3 Answers

From the documentation it is not clear what is the precedence of Content-Security-Policy in http-equiv vs. http header. I have tested experimentaly on Firefox 62.0:

<meta http-equiv="Content-Security-Policy" content="script-src 'self' https://www.google-analytics.com/analytics.js"/>
<script src="https://www.google-analytics.com/analytics.js"></script>
<script src="https://connect.facebook.net/en_US/fbevents.js"></script>

When HTTP header is not set, the console argues about facebook.net only.

With header set Content-Security-Policy "script-src 'self' https://connect.facebook.net/en_US/fbevents.js" the console argues about both www.google-analytics.com and facebook.net.

When http-equiv is removed and header for facebook.net kept, the console correctly argues about google-analytics.

From that it seems the combination of http-equiv and http header is detected as duplicate definition and not recognized at all.

like image 75
dosmanak Avatar answered Oct 24 '22 06:10

dosmanak

from MSDN:

If both of these instructions are sent, the developer's preference (meta element) takes precedence over the web server setting (HTTP header).

I couldn't find whether it is IE\IIS specific behavior, or a standard.

like image 1
Shahafo Avatar answered Oct 24 '22 05:10

Shahafo

The answer posted by Shahafo may be correct for the X-UA-Compatible header and IE 11, but does not appear to be true in the general case. For example, for Firefox and Chrome, caching-related HTTP headers have a higher precedence than caching-related http-equiv tags. For IE 11, the situation is reversed.

like image 1
John M Avatar answered Oct 24 '22 04:10

John M
Sign in to Comment

Related questions

How to gray out a HTML element
PHP $_POST not working? [duplicate]
jQuery .focus doesn’t actually focus a newly created element
Do <img> tags in html support animated gifs?
"Best fit" font size - how do I measure a sentence width?
Hide mobile browser's address bar on load (IOS / Android) in React
Play multiple instances of an html5's Audio object
How to modify the caret with css [duplicate]
input type="file", clearing file after clicking cancel in chrome
Safari 7.0.1 and onsubmit
Text vertical alignment issue in android and ios
Validate all fields at once with HTML5 instead of one at a time
Prevent chrome from autofilling creditcard info

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!